Detecting and classifying man-in-the-middle attacks in the private area network of smart grids

The sustainable development of smart grids requires the massive deployment of renewable energy, in a highly distributed manner, introducing new challenges for the system operation. Therefore, the integration of information and communication technologies in sites with Distributed Energy Resources (DERs) is needed to monitor and control the DERs operation. In this scheme, a local controller is installed at each DER site to interact with the centralized applications at the grid level and the power equipment at the site level. This local controller uses client-server protocols (e.g., Modbus TCP/IP and IEC 61850 Manufacturing Message Specification) to communicate with different power equipment in the Private Area Network (PAN) of the site. Such protocols often lack information confidentiality and integrity mechanisms. As a result, the smart grids become vulnerable to cyber-attacks. To safeguard smart grid applications, this paper proposes a Hybrid Network Intrusion Detection System approach (HNIDS), where machine learning-based anomaly and signature-based are combined. The proposed methodology detects and classifies Man-In-The-Middle (MITM) attacks in eavesdropping mode in PANs, without violating customer privacy. The ability to detect unknown MITM attack techniques, identify affected packets, and determine the victim device(s) are the major advantages of this approach. An experimental testbed has been used to collect real-life data and validate the effectiveness of the proposed approach in smart grid applications. The proposed HNIDS is evaluated using a simulation as well as real-life laboratory experiments, demonstrating very high accuracy in detection rate, from 97.6% to 100%, with an average of the weighted F1-score over 98%.